An Update on Chinese Cyber Espionage Activities: Putter Panda


2014-06-30 Recently CrowdStrike released a report on recent Chinese cyber espionage activities.

Monday, June 9, 2014, CrowdStrike publicly released a report on a group called Putter Panda, a cyber espionage actor that conducts operations from Shanghai, China, likely on behalf of the Chinese People’s Liberation Army (PLA) 3rd Department 12th Bureau Unit 61486. 

Putter Panda is a determined adversary group, conducting intelligence-gathering operations targeting the Government, Defense, Research, and Technology sectors in the United States, with specific targeting of space, aerospace, and communications.

The report can be downloaded here:

In the introduction to the report, George Kurtz, President/CEO and Co-Founder of CrowdStrike provided the following overview to the report:

In May 2014, the U.S. Department of Justice charged five Chinese nationals for economic espionage against U.S. corporations. The five known state actors are officers in Unit 61398 of the Chinese People’s Liberation Army (PLA). In response, the Chinese government stated that the claims were “absurd” and based on “fabricated facts”.

China then went even further, stating “The Chinese government, the Chinese military and their relevant personnel have never engaged or participated in cyber theft of trade secrets.”

We believe that organizations, be they governments or corporations, global or domestic, must keep up the pressure and hold China accountable until lasting change is achieved. Not only did the U.S. Government offer in its criminal indictment the foundation of evidence designed to prove China’s culpability in electronic espionage, but also illustrated that the charges are only the tip of a very large iceberg. Those reading the indictment should not conclude that the People’s Republic of China (PRC) hacking campaign is limited to five soldiers in one military unit, or that they solely target the United States government and corporations.

Rather, China’s decade-long economic espionage campaign is massive and unrelenting.

Through widespread espionage campaigns, Chinese threat actors are targeting companies and governments in every part of the globe.

At CrowdStrike, we see evidence of this activity first-hand as our services team conducts Incident Response investigations and responds to security breaches at some of the largest organizations around the world. We have first-hand insight into the billions of dollars of intellectual property systematically leaving many of the largest corporations – often times unbeknownst to their executives and boards of directors.

The campaign that is the subject of this report further points to espionage activity outside of Unit 61398, and reveals the activities of Unit 61486. Unit 61486 is the 12th Bureau of the PLA’s 3rd General Staff Department (GSD) and is headquartered in Shanghai, China. The CrowdStrike Intelligence team has been tracking this particular unit since 2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007.

The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.

This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets, primarily relating to the satellite, aerospace and communication industries. With revenues totaling $189.2 billion

in 2013, the satellite industry is a prime target for espionage campaigns that result in the theft of high-stakes intellectual property. While the gains from electronic theft are hard to quantify, stolen information undoubtedly results in an improved competitive edge, reduced research and development timetables, and insight into strategy and vulnerabilities of the targeted organization.

Parts of the PUTTER PANDA toolset and tradecraft have been previously documented, both by CrowdStrike, and in open source, where they are referred to as the MSUpdater group. This report contains details on the tactics, tools, and techniques used by PUTTER PANDA, and provides indicators and signatures that can be leveraged by organizations to protect themselves against this activity. Our Global Intelligence Team actively tracks and reports on more than 70 espionage groups, approximately half of which operate out of China and are believed to be tied to the Chinese government.

This report is part of our extensive intelligence library and was made available to our intelligence subscribers in April 2014, prior to the US Government’s criminal indictment and China’s subsequent refusal to engage in a constructive dialog.

Targeted economic espionage campaigns compromise technological advantage, diminish global competition, and ultimately have no geographic borders.

We believe the U.S. Government indictments and global acknowledgment and awareness are important steps in the right direction. In support of these efforts, we are making this report available to the public to continue the dialog around this ever-present threat.

For a related PRC activity see the following Special Report:

The National Computer Quality Supervising Center: A Core Chinese Dual Use Technology Capability

China’s NCTC has been established and organized to promote national industrial electronic information scientific and technical development.

The NCTC, through its own public documentation, is explicitly set up as a dual-use information technology industry support organization.

The NCTC provides national professional test services for products such as computers, computer peripherals, computer network equipment, fiscal cash registers, second generation identity card reading (verification) equipment, computer room equipment and engineering, printed circuit boards, electronic components, integrated network cabling, software, IC card and equipment, RFID and equipment, and computer energy savings.

No overarching organization comparable to the NCTC is known to exist in the US or in any other major Western IT industrial state.

The NCTC is an integral component of the Chinese government policy-driven infrastructure for IT equipment design and testing, which has resulted in an increasingly innovative industry that has expanded China’s share of the global telecommunications and IT equipment market.